Description
Goal This assignment has two main goals. First, you will examine how programs use the runtime stack to store local variables, arguments and the return address. You will do this using a set of snippets and then you will mount a buffer-overflow, stack-smash attack on an SM213 program. Second, you will examine a few SM213 programs to determine what they do. Assembly-code reading is actually a bit harder than writing. And so, this is the next step in deepening your understanding of this low-level approach to program. Your goal will be to add high-level comments to the lines of code and to show an equivalent C program. That is, you are the decompiler this time. Groups You may do this assignment in groups of two if you like. If you do, be sure that you both contribute equally to the assignment and that you each work on every part of the assignment. Do not split up the assignment in such a way that one of you does one part and the other does another part. Keep in mind that the core benefit to you of doing the assignment is the learning that happens while you do it. Each assignment is worth only around 1.8% of your grade, but what you learn while doing the assignment goes a long way to determining the other 85%. If you choose to do the entire assignment with a partner, submit one solution via handin and list both of your names, student numbers, and computer-science login ids in the README file. Alternatively, you can also choose to collaborate with another student for a portion of the assignment and have your work marked individually. Do do this, simply submit your own version via handin and list the other student as a collaborator in your README file. Just don’t do this if you and your partner are turning in identical solutions, as we would like to realize marking efficiency where possible. You may have at most one collaborator for the assignment; i.e., you can not collaborate with one student for one part of the assignment and another student for another part.
Provided Code The file https://www.ugrad.cs.ubc.ca/~cs213/cur/Assignments/a5/code.zip contains the code you will use this week. It includes the following files • S7-static-call.{java,c} and S7-static-call-{reg,stack}.s • S8-locals-args.{java,c,s} • S9-args.{java,c} and S9-args-{regs,stack}.s • copy.c • A5-{a,b}.s Part I: The Stack Here are the requirements for Part I of this week’s assignment. 1. Carefully examine the execution of S7-static-call-stack in the simulator and compare it to S7-static-call-regs. Unlike previous assignments, do not document what you see. Run the snippets and look carefully at what happens. Then, do the following: a) Describe, in high-level, plan English, the difference between the two approaches. b) List one benefit of each approach. 2. Carefully examine the execution of S8 in the simulator. Do not document what you see. Do the following with S8-locals-args.s: a) List the line(s) of b that allocate its stack frame. b) List the line(s) of b that de-allocate its stack frame. c) Modify the file to make the following two changes. Change b so that it has three arguments and change foo to call b (0, 1, 2). 3. Carefully examine both versions of S9 in the simulator. Do not document what you see. Do the following with S9-args-*.s: a) Compare the two versions to list the memory accesses that stack makes that regs doesn’t make. Group similar instructions and give a high-level, English description of each group. b) How many more memory accesses does stack make, compared to regs? 4. Write a simple SM213 assembly-language program that copies a 0-terminated array of integers (use Snippets 8 or 9 as a guide). Call this program copy.s. As shown below, the input array should be stored in a global variable called src. The destination array should be a local variable (i.e., stored on the stack). You need two procedures: one that copies the array, one that initializes the stack pointer and calls the copy procedure. Ensure that the copy procedure saves r6 (the return address) on the stack in its prologue and restores it from the stack in its epilogue, as shown in class. Here is a C template for the program, called copy.c. int src[2] = {1,0};
void copy() { int dst[2]; int i = 0; while (src[i] != 0) { dst[i] = src[i]; i++; } dst[i]=0; } int main () { copy (); } 5. Devise a buffer-overflow attack on this program that sets the value of every register to -1 and then halts. You are suck with a similar set of restrictions that a real attacker confronts. You may not modify the program in any way other than to change its input. In this case the input is stored in the string src. So, you can change src. You will need to make it bigger; you can make it as big as you like. This input array must contain the virus program and other values so that the while loop in copy overwrites the return address on the stack in such a way that copy jumps to the stack address of the virus when it returns (it may not jump to any part of the array src). Run your attack in the simulator and then describe how it works. Part II: Reading Assembly Code Here are the requirements for Part II. 1. Examine A5-a.s and its execution in the simulator. Add a comment to every line that explains what that line does in as high-level a way as possible. Ideally most comments will look like c statements; comments on load and store instructions, for example, must refer to variable names. Assign meaningful names to variables and procedures. Add labels using these names. Use snippet comments as a guideline. Then, write an equivalent C program called A5-a.c that is the most likely candidate for the file that was compiled into A5-a.s. Use the same variable and procedure names in this program that you used in the assembly-file comments. Ensure that there is a correspondence between lines in the assembly file and lines of the C program. 2. Do the same for A5-b.s. What to Hand In Use the handin program. The assignment directory is a5. 1. A single file called “README.txt” that includes your name, student number, four- or fivedigit cs-department undergraduate id (e.g., the one that’s something like a0b1).
2. If you had a partner for the entire assignment, turn in only one copy of your joint solution under one of your ids and list both student’s complete information in the README.txt file and include the text “PARTNER – MARK JOINTLY”. 3. If, on the other hand, you collaborated with another student for a portion of the assignment, but your solutions are not identical and you want them marked individually, each of you should include the other student’s complete information in your README.txt file, include the text “COLLABORATOR – MARK SEPARATELY”, and turn in copies separately via handin. 4. In README.txt, answer questions 1a, 1b, 2a, 2b, 3a, and 3b. 5. The file S8-locals-args.s, modified as specified in question 2c. 6. Your buffer-overflow program and the value of src you used to mount the attack in the file named copy.s. 7. A plain-English description of your virus and how it works in README.txt. 8. Your modified A5-a.s and A5-b.s your C files A5-a.c and A5-b.c
